Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 114947

Summary: www-apache/libapreq2-2.06: Insecure RUNPATHs in perl modules
Product: Gentoo Security Reporter: Bill Gates <cadaver>
Component: Runpath IssuesAssignee: Gentoo Security <security>
Status: RESOLVED WORKSFORME    
Severity: minor CC: Mess1214, perl
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 81745    

Description Bill Gates 2005-12-08 19:59:18 UTC
making executable: /usr/lib/libapreq2.so.2.1.3 
 
QA Notice: the following files contain insecure RUNPATH's 
 Please file a bug about this at http://bugs.gentoo.org/ 
 For more information on this issue, kindly review: 
 http://bugs.gentoo.org/81745 
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib 
usr/lib/perl5/vendor_perl/5.8.7/i686-linux-thread-multi/auto/APR/Request/Apache2/Apache2.so 
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib 
usr/lib/perl5/vendor_perl/5.8.7/i686-linux-thread-multi/auto/APR/Request/CGI/CGI.so 
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib 
usr/lib/perl5/vendor_perl/5.8.7/i686-linux-thread-multi/auto/APR/Request/Cookie/Cookie.so 
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib 
usr/lib/perl5/vendor_perl/5.8.7/i686-linux-thread-multi/auto/APR/Request/Error/Error.so 
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib 
usr/lib/perl5/vendor_perl/5.8.7/i686-linux-thread-multi/auto/APR/Request/Hook/Hook.so 
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib 
usr/lib/perl5/vendor_perl/5.8.7/i686-linux-thread-multi/auto/APR/Request/Param/Param.so 
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib 
usr/lib/perl5/vendor_perl/5.8.7/i686-linux-thread-multi/auto/APR/Request/Parser/Parser.so 
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib 
usr/lib/perl5/vendor_perl/5.8.7/i686-linux-thread-multi/auto/APR/Request/Request.so 
 
 
!!! ERROR: www-apache/libapreq2-2.06 failed. 
!!! Function dyn_install, Line 1057, Exitcode 0 
!!! Insecure binaries detected 
!!! If you need support, post the topmost build error, NOT this status 
message. 

Reproducible: Always
Steps to Reproduce:
1.emerge ww-apache/libapreq2-2.06 
 
Actual Results:  
!!! ERROR: www-apache/libapreq2-2.06 failed. 
!!! Function dyn_install, Line 1057, Exitcode 0 
!!! Insecure binaries detected 
!!! If you need support, post the topmost build error, NOT this status 
message.
Comment 1 Bill Gates 2005-12-08 20:01:40 UTC
Portage 2.0.53 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.6-r0, 
2.6.13-suspend2-r5 i686) 
================================================================= 
System uname: 2.6.13-suspend2-r5 i686 AMD Athlon(TM) XP 2500+ 
Gentoo Base System version 1.6.13 
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) 
[disabled] 
ccache version 2.4 [disabled] 
dev-lang/python:     2.4.2 
sys-apps/sandbox:    1.2.13 
sys-devel/autoconf:  2.13, 2.59-r7 
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 
sys-devel/binutils:  2.16.1-r1 
sys-devel/libtool:   1.5.20-r1 
virtual/os-headers:  2.6.11-r3 
ACCEPT_KEYWORDS="x86 ~x86" 
AUTOCLEAN="yes" 
CBUILD="i686-pc-linux-gnu" 
CFLAGS="-O9 -march=athlon-xp -fno-delayed-branch -fcse-skip-blocks      
-fstrength-reduce -fforce-mem -fpeephole2 -fdelete-null-pointer-checks   
-freorder-functions -freduce-all-givs -s" 
CHOST="i686-pc-linux-gnu" 
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/bind /var/qmail/control" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" 
CXXFLAGS="-O9 -march=athlon-xp -fno-delayed-branch -fcse-skip-blocks    
-fstrength-reduce -fforce-mem -fpeephole2 -fdelete-null-pointer-checks   
-freorder-functions -freduce-all-givs -s" 
DISTDIR="/usr/portage/distfiles" 
FEATURES="autoconfig distlocks sandbox sfperms strict" 
GENTOO_MIRRORS="http://ftp.linux.ee/pub/gentoo/distfiles/ 
ftp://ftp.linux.ee/pub/gentoo/distfiles/ http://mirror.aiya.ru/pub/gentoo/ 
ftp://gentoo.inode.at/source/" 
LANG="ru_RU.UTF-8" 
LC_ALL="ru_RU.UTF-8" 
LINGUAS="en ru" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/var/tmp" 
PORTDIR="/usr/portage" 
SYNC="rsync://rsync.gentoo.org/gentoo-portage" 
USE="x86 16bittmp 3dnow 3dnowext X Xaw3d a52 aac aalib acl acpi ada adns afs 
alsa ansi apache2 apm arts audiofile avi bash-completion berkdb big-tables 
bitmap-fonts bootsplash bzip2 cdparanoia cdr cluster crypt cscope cups curl 
customlog custreloc dbx dga dio directfb divx4linux dlopen dlz dri dv dvb dvd 
dvdr dvdread emboss encode exif expat extensions extraengine fam fastcgi fax 
fbcon fdftk ffmpeg flac follow-xff font-server foomatic foomaticcdb foomaticdb 
fortran freetype ftp gcj gd gdbm geoip geometry gif glitz glut gmp gpm guile 
hal haskell iconv ieee1394 imagemagick imap imlib ipv6 ithreads jack java 
javascript jpeg kde kdeenablefinal kerberos kqemu krb5 latex lcms ldap lesstif 
libcaca libg++ libwww linuxthreads-tls lirc lm_sensors logrotate mad maildir 
mailwrapper matroska matrox menubar mikmod ming mmap mmx mmx2 mmxext mng motif 
mozcalendar mozdevelop mozsvg mp3 mpeg mpi mpm-worker mysql mysqli mythtv nas 
ncurses neXt network nis nls nptl nptlonly nvidia objc odbc offensive ogg 
oggvorbis openal opengl pam pam_console pascal pbs pcre pda pdflib perforce 
perl perlsuid pg-hier pg-intdatetime pic png portaudio posix ppds prelude 
profile python qdmc qt qtaudio quicktime radius readline recode rtc sample 
sasl scanner scp sdk sdl sensord skey slang slp sockets soundtouch spell sql 
sqlite srp sse ssl svg svga tcltk tcpd tetex theora threads tidy tiff truetype 
truetype-fonts type1-fonts udev underscores unicode urandom usb userlocales 
utf8 v4l vhosts vidix visualization vorbis voxware wifi win32codecs wmf xanim 
xface xgetdefault xine xinerama xinetd xml xml2 xsl xv xvid xvmc yahoo zeo 
zero-penalty-hit zeroconf zlib linguas_en linguas_ru userland_GNU kernel_linux 
elibc_glibc" 
Unset:  ASFLAGS, CTARGET, LDFLAGS, MAKEOPTS, PORTDIR_OVERLAY 
 
Comment 2 Bryan Østergaard (RETIRED) gentoo-dev 2005-12-10 03:18:07 UTC
Nothing to do with developer relations.
Comment 3 Michael Cummings (RETIRED) gentoo-dev 2005-12-16 14:17:14 UTC
another 5.8.7 related bug methinks - need to get a metabug for this once i can confirm the cause (since i can't dup so far). although with cflags like that, i'd hesitate to touch this bug unless you can verify you have 8 processors
Comment 4 James M 2005-12-17 21:13:32 UTC
I have this problem too.  Here is my emerge info:


Portage 2.1_pre1 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r3, 2.6.14-hardened-r1 i686)
=================================================================
System uname: 2.6.14-hardened-r1 i686 Intel(R) Xeon(TM) CPU 3.20GHz
Gentoo Base System version 1.12.0_pre11
ccache version 2.4 [enabled]
dev-lang/python:     2.3.5, 2.4.2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1-r1
sys-devel/libtool:   1.5.20-r1
virtual/os-headers:  2.6.11-r3
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://mirror.espri.arizona.edu/gentoo/ http://mirror.usu.edu/mirrors/gentoo/ http://mirror.datapipe.net/gentoo http://mirror.datapipe.net/gentoo http://gentoo.chem.wisc.edu/gentoo/"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j5"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl acpi apache apache1 bash-completion bzip2 cdr crypt cups dlloader doc dvd dvr expat extraengine fastcgi foomaticdb gd gdbm gmp hal hardened imap innodb ithreads javascript jpeg libwww maildir mmx mysql mysqli ncurses nls no-suexec nptl pam pcre perl php pic png posix profile readline reiserfs sasl session sockets spell spl sse ssl tcpd tiff tokenizer truetype udev unicode usb userlocales utf8 vhosts x86 xfs xml xml2 zlib elibc_glibc kernel_linux userland_GNU"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LINGUAS, PORTDIR_OVERLAY
Comment 5 Michael Cummings (RETIRED) gentoo-dev 2005-12-19 09:13:18 UTC
James - are you also running a threaded perl? (nm that original poster needs to clean up his make.conf since he disabled distcc but left all the flags intact for a multi-cpu compile)
Comment 6 James M 2005-12-19 11:34:37 UTC
Yes I am running a threaded perl.  Here is the applicable part of the  perl -V output:

 config_args='-des -Darchname=i686-linux-thread -Dcccdlflags=-fPIC -Dccdlflags=-rdynamic -Dcc=i686-pc-linux-gnu-gcc -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr -Dlocincpth=  -Doptimize=-O2 -march=pentium4 -pipe -fomit-frame-pointer -Duselargefiles -Dd_semctl_semun -Dscriptdir=/usr/bin -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dinstallman1dir=/usr/share/man/man1 -Dinstallman3dir=/usr/share/man/man3 -Dman1ext=1 -Dman3ext=3pm -Dinc_version_list=5.8.0 5.8.0/i686-linux-thread-multi 5.8.2 5.8.2/i686-linux-thread-multi 5.8.4 5.8.4/i686-linux-thread-multi 5.8.5 5.8.5/i686-linux-thread-multi 5.8.6 5.8.6/i686-linux-thread-multi  -Dcf_by=Gentoo -Ud_csh -Dusethreads -Di_ndbm -Di_gdbm -Ui_db'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='i686-pc-linux-gnu-gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -fno-strict-aliasing -pipe -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -march=pentium4 -pipe -fomit-frame-pointer',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -fno-strict-aliasing -pipe'
    ccversion='', gccversion='3.4.4 (Gentoo Hardened 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='i686-pc-linux-gnu-gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lpthread -lnsl -lndbm -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=/lib/libc-2.3.5.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.3.5'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'


Characteristics of this binary (from libperl):
  Compile-time options: MULTIPLICITY USE_ITHREADS USE_LARGE_FILES
                        PERL_IMPLICIT_CONTEXT
  Built under linux
  Compiled at Dec  6 2005 13:23:19
Comment 7 James M 2005-12-19 13:46:31 UTC
I just recompiled perl without threads and I am getting a similar error as below when compiling libapreq2:

strip: i686-pc-linux-gnu-strip --strip-unneeded
   /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/CGI/CGI.so
   /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Hook/Hook.so
   /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Cookie/Cookie.so
   /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Apache2/Apache2.so
   /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Error/Error.so
   /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Param/Param.so
   /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Parser/Parser.so
   /usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Request.so
   /usr/lib/libapreq2.so.2.1.3
   /usr/lib/apache2/modules/mod_apreq2.so
removing executable bit: /usr/lib/libapreq2.la

QA Notice: the following files contain insecure RUNPATH's
 Please file a bug about this at http://bugs.gentoo.org/
 For more information on this issue, kindly review:
 http://bugs.gentoo.org/81745
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/CGI/CGI.so
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Hook/Hook.so
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Cookie/Cookie.so
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Apache2/Apache2.so
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Error/Error.so
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Param/Param.so
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Parser/Parser.so
/var/tmp/portage/libapreq2-2.06/work/libapreq2-2.06-dev/library/.libs:/usr/lib usr/lib/perl5/vendor_perl/5.8.7/i686-linux/auto/APR/Request/Request.so


!!! ERROR: www-apache/libapreq2-2.06 failed.
!!! Function dyn_install, Line 1113, Exitcode 0
!!! Aborting due to serious QA concerns
!!! If you need support, post the topmost build error, NOT this status message.

Comment 8 James M 2005-12-19 14:38:21 UTC
I took at look at #105054 (the same problem with subversion).  I noticed there was a patch to ExtUtils::MakeMaker.  But for some reason when I re-emerged perl, it did not apply this patch.  So I hacked the module manually and I was able to both emerge libapreq2 and subversion.
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-08 13:28:37 UTC
If you haven't done so, please run "perl-cleaner all" (app-admin/perl-cleaner) and retry to emerge libapreq. Report back if that worked, please. Thanks.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2006-01-15 09:45:31 UTC
Also if you have ExtUtils-MakeMaker installed, unmerge it and try again.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2006-01-16 05:53:20 UTC
Reporter: resolving as WORKSFORME, if workarounds in comments #8 #9 or #10 don't cut it for you please reopen